By Published on

Why are passkeys safer then passwords?

Passkeys are becoming a big reality by day, but are you sure you understand how they work?

If you understand how key-based ssh authentication works then you already are at home with the concept.

Simple version

A passkey is a secure, device‑based way to sign in using your fingerprint, face, or PIN instead of a password.

Medium version

Instead of something you remember and type, passkey uses your device (your phone or computer) and your screen lock (fingerprint, face ID, or PIN) to sign in securely.

Your device (which stores a secret, private key unique to you) proves it’s really you without sending a password to the website, so there’s nothing for hackers to steal.

When you log in your device proves you’re you — without ever revealing the secret, that is, using your private key. Now, using the private key is the most sensitive action and depending on settings and/or context you may or you may not be prompted to authenticate. In case the authentication is needed the access to the private key is allowed by applying your existing authentication method (fingerprint, PIN, face ID).

If you switch devices, you’ll need to either sync your passkeys through your account or set them up again.

Full version (asymmetric encryption)

Key Creation

When you create a passkey (e.g., during account setup on a website):

  • Your device generates a key pair:
    • Private key: stays securely on your device.
    • Public key: sent to the website or service.

This is classic asymmetric encryption: the public key can verify your identity, but only the private key can prove it.

Where Are Keys Stored?

  • The private key is stored in your device’s secure enclave or TPM (Trusted Platform Module) — a hardware-isolated area designed to protect sensitive data.
  • The public key is stored by the website or service you’re logging into.

You never type or transmit your private key — your device uses it internally to sign a challenge during login.

What Happens If You Replace Your Device?

  • Passkeys are device-bound, so if you lose or replace your device, you lose the private key.
  • However, modern ecosystems (Apple, Google, Microsoft) offer cloud sync of passkeys:
    • Your passkeys are encrypted and synced across your devices.
    • You can log in from a new device as long as you’re signed into your account (e.g., iCloud, Google Account).

If you’re using non-synced passkeys (e.g., on a Linux device without cloud integration), you’ll need to re-register your passkey on the new device.